Security experts are challenging Starbucks over the way passwords are stored in its widely used mobile payments app, saying that a lack of common security protocols makes it possible for a hacker with physical access to the phone to see the user’s Starbucks username and password — and potentially run up a bunch of purchases on the customer’s Starbucks card.

Retail technology columnist Evan Schuman reported on the practice in Computerworld this morning, citing the work of security researcher Daniel Wood. The problem, according to the Computerworld report, is that Starbucks is storing the user names and passwords in clear text on the device, in a way that can be accessed using the right tools when connected to a PC.

Apart from gaining access to a user’s Starbucks account, the situation could cause concern if someone uses the same password for multiple accounts, including other (potentially more sensitive) online services.

Responding to the questions, Starbucks executives told Schuman that the company has made unspecified changes in its practices, including “extra layers of security” to keep usernames and passwords safe.

Here’s a statement issued by Starbucks to GeekWire this morning.

Our customers’ security is of the utmost importance to us, and we actively monitor for risks and vulnerabilities. While we are aware of the theoretical vulnerabilities outlined in this report, there is no known impact to our customers at this time. To further mitigate our customers’ potential risk from these theoretical vulnerabilities, Starbucks has taken additional steps to safeguard any sensitive information that might have been transmitted in this way.

However, according to the Computerworld report, follow-up tests by Wood showed that the passwords and usernames were still visible to someone who knows the right tools to use, in addition to geolocation data.

A thief who used the same tools could conceivably charge purchases up to the limit of the stored value on the user’s Starbucks card. If the user had an auto-replenish option enabled for the stored-value card, the infiltrator could conceivably charge a whole lot of lattes, but Starbucks points out to Computerworld that such a situation would trigger a fraud alert from the user’s bank.